What is a DMARC Policy?

Q: What is a DMARC Policy?

A DMARC policy allows a sender's domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine.

What is a DMARC policy? DMARC is a widely popular email authentication protocol that takes email security to new heights. The specialty of DMARC is that it bestows upon domain owners the ability to protect their domain from unauthorized use and abuse by cybercriminals, as in the case of email spoofing. An enforced DMARC policy in your organization can help mitigate Business Email Compromise, phishing scams, and other cyber threats that revolve around email security and domain abuse.

For DMARC to be implemented in your organization, the DMARC DNS entry needs to be published and stored in the DNS. As soon as the DMARC entry is published, any receiving email server can authenticate the incoming emails as per the instructions defined by the domain owner within the DNS entry. Only if the email passes the authentication it will be delivered to the receiver’s inbox, however, if the email fails authentication, depending on the DMARC policy it would be either delivered, quarantined, or rejected.

Start 15-day trial Book a demo

What Does a DMARC Policy do?

After learning what is a DMARC policy, let’s understand what it does. A DMARC policy essentially enables a domain owner to specify what to do in case an email fails both SPF and DKIM checks (i.e. whether to quarantine or reject it). The DMARC DNS record also specifies how the recipient can report back to the domain owner, in case an email fails authentication.

However, while opting for DMARC implementation, it is important to ensure that the DMARC policy is enforced to either quarantine or reject. Though none policy is the starting point to monitor your email flow, it doesn’t facilitate the implementation of DMARC enforcement at your organization, as it doesn’t enforce action on the emails that fail DMARC authentication, hence, it is still delivered into the recipient’s inbox. Hence, in order to avoid such a situation, a quarantine or reject policy can prevent a wide range of email security breaches.

What are the types of DMARC Policy?

A DMARC policy can be set to none, quarantine or reject, depending on the level of DMARC enforcement you want to opt for. Here, p is the parameter that specifies DMARC policy:

A none policy (p=none) is relaxed and provides zero enforcement, as every email that is received by the recipient’s email server lands into their inbox, whether or not they fail authentication.
The quarantine policy (p=quarantine) provides DMARC enforcement as the domain owner can prompt the receiver to roll back emails into the spam folder in case the message fails DMARC authentication.
Finally, the reject policy (p=reject) ensures that all emails that fail authentication are not delivered to the receiver’s inbox, thereby providing absolute enforcement.

Which DMARC policy should you use and why?

The DMARC policy you use depends on the level of enforcement you desire and the purpose your policy will serve. Here are a few ways you can leverage your DMARC policy and its subsequent uses:

To monitor your email channels
If you simply want to monitor your email channels, a DMARC policy at p=none is enough. This policy will however not protect you against cyberattacks.
To protect against Phishing and Spoofing Attacks
If you want to protect your emails against phishing attacks and direct-domain spoofing, a DMARC policy of p=reject is imperative. It provides the highest level of DMARC enforcement and effectively minimizes impersonation attacks.
To review suspicious emails before they are delivered
If you don’t want to outright block unauthorized emails, instead, allow your receivers to review emails that fail authentication in their quarantine folder, a DMARC quarantine policy is your best bet.

Which DMARC policy should you use and why-01

Which DMARC policy prevents spoofing?

A DMARC reject policy is the only DMARC policy that is effective in preventing spoofing attacks. This is because a reject DMARC policy blocks unauthorized emails from reaching your receiver’s inbox, thereby stopping them from accepting, opening, and reading bad emails.

Is Opting for a DMARC Policy at Your Organization Enough?

The answer is no. Simply implementing is not enough as a proper reporting mechanism and maintenance is required as well. PowerDMARC ensures that all of that is handled in the background.

PowerDMARC’s extensive reporting mechanism includes two separate reports as a part of the multifaceted and multilayered DMARC record- Aggregate report and Forensic report. Aggregate reports are sent to the address specified following the RUA tag, while Forensic reports are emailed to the address following the RUF tag. Aggregate reports that are generated once per day and contain a comprehensive report on all the emails that failed or passed email authentication and at what stage. Forensic Reports, also known as Failure Reports, are generated in real-time and consist of redacted copies of individual emails that failed SPF, DKIM, or both based upon what value is specified in the FO tag.

Furthermore, the threat-mapping feature enables domain owners to find out the geo-locations of all domain abusers who are impersonating their domain in real-time, along with the choice to report abusive IPs and block them permanently. This DMARC monitoring tool provides optimal insight into email spoofing attacks taking place at various locations around the globe and provides complete visibility on your domain. So sign up today for your free DMARC trial.

The journey from DMARC None to DMARC Reject

To shift to an enforced DMARC policy, you need to make sure of the following:

That your record is valid and properly set up
You are not facing deliverability issues on legitimate emails

This requires constant monitoring and management. To make the shift effortless for you, PowerDMARC’s DMARC analyzer helps you monitor your email channels on a single SaaS platform. Take action against malicious IPs, change your DMARC policy settings, schedule PDF reports and do much more across a single pane of glass!

The journey from DMARC None to DMARC Reject-01

Common errors with DMARC policies & How to fix them?

Syntax Errors

You should be wary of any syntax errors while setting up your record to make sure that your protocol functions correctly.

Configuration Errors

Errors while configuring the DMARC policy are common and can be avoided by using a DMARC lookup tool.

DMARC sp policy

If you configure a DMARC reject policy, but set up your subdomain policies to none, you will not be able to achieve compliance on all your outbound emails.

What is a DMARC Policy helping you achieve and why do you need a DMARC Policy?

A DMARC policy can protect against a wide range of email-based attacks at your organization. Email is the easiest way to use your brand for fraud. By using your domain and impersonating your brand, hackers can send malicious phishing emails to your own employees and customers. Not only will this compromise security in your organization, but it will seriously harm your brand reputation. DMARC can make your domain safe again and free from all kinds of email security breaches by cybercriminals. Implementing the DMARC analyzer tool can enable you to put an end to email spoofing attacks and domain abuse, stop CEO fraud, fake invoices, BEC attacks, the spread of ransomware, login credential thefts, etc.

You need an enforced DMARC policy at your organization to:

Protect your brand’s image and reputation
Prevent the loss of confidential data
Prevent financial losses
Enhance email deliverability rate
Enhance your brand’s reliability among its partners and customer-base
Avoid legal risks

Book a Demo